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Abstract: The Hermite-Korkine-Zolotarev reduction plays a central role in strong lattice re- 
duction algorithms. By building upon a technique introduced by Ajtai, we show the existence 
of Hermite-Korkine-Zolotarev reduced bases that are arguably least reduced. We prove that for 
such bases, Kannan's algorithm solving the shortest lattice vector problem requires d^ 1+0<yl ^ 
bit operations in dimension d. This matches the best complexity upper bound known for this 
algorithm. These bases also provide lower bounds on Schnorr's constants ad and (3d that are 
essentially equal to the best upper bounds. Finally, we also show the existence of particularly 
bad bases for Schnorr's hierarchy of reductions. 

Key-words: Lattice basis reduction, shortest vector problem, HKZ-reduction, BKZ-reduction 



* CNRS and Universite de Lyon / ENS Lyon / LIP, 46 allee d'ltalie, 69364 Lyon Cedex 07, France. 



Unite de recherche INRIA Lorraine 
LORIA, Technopole de Nancy-Brabois, Campus scientifique, 
615, rue du Jardin Botanique, BP 101, 54602 Villers-Les-Nancy (France) 

Telephone : +33 3 83 59 30 00 — Telecopie : +33 3 83 27 83 19 



Bases Hermite-Korkine-Zolotarev reduites "pires cas". 



Resume : La reduction d' Hermite-Korkine-Zolotarev joue un role central dans les algorithmes 
de reduction forte des reseaux. En utilisant une technique due a Ajtai, nous prouvons l'existence 
de bases Hermite-Korkine-Zolotarev reduites qui sont les plus mal reduites possible. Pour de 
telles bases, l'algorithme de Kannan pour la resolution du probleme du vecteur le plus court 
necessite d^ 1+ °^ operations elementaires en dimension d, ce qui coincide avec la meilleure 
borne superieure connue pour sa complexite. Ces bases fournissent egalement des bornes in- 
ferieures pour les constantes de Schnorr a d et /3 d , qui coincident la encore avec les meilleures 
bornes superieures connues. Enfin, nous montrons l'existence de mauvaises bases reduites pour 
les algorithmes de la hierarchie de Schnorr. 

Mots-cles : Reduction des reseaux, probleme du vecteur le plus court, reduction HKZ, reduction 
BKZ 
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1 Introduction 

A lattice L is a discrete subgroup of a euclidean space M n . Such an object can always be 
written as the set of integer linear relations of some linearly independent vectors bi , . . . , bd € 
W 1 . The 6j's form a basis of L. Such a representation is not unique, but all bases share 
the same cardinality d, called the lattice dimension. Another lattice invariant is the so-called 
lattice volume det(L), which is defined as the geometric rf-dimensional volume of any paral- 
lelepiped V(bi) = i^ZiVibi, yi G [0, 1]} spanned by a lattice basis (6*)$. When d > 2, a given 
lattice has an infinity of bases, related to one another by unimodular transformations . Some bases 
are better than others, in particular under the light of applications such as algorithmic number 
theory [5J and cryptography lfT5l [T3l . In these applications, one is mostly interested in lattice 
bases made of rather short and rather orthogonal vectors. Such bases are called reduced. One 
often distinguishes between reductions that are rather weak but can be computing efficiently and 
reductions that are strong but that require a much larger amount of computational resources. 
The main reduction of the first family is the celebrated LLL-reduction 021, whereas the most 
famous one in the second family is the Hermite-Korkine-Zolotarev reduction (HKZ for short). 
There exist compromises between LLL and HKZ reductions, such as Schnorr's Block-Korkine- 
Zolotarev (BKZ) reductions [fT9l depending on a parameter k: the 2-BKZ reduction is essentially 
the LLL reduction whereas the <i-BKZ reduction is exactly the HKZ reduction. Other compro- 
mises have been considered in |[T9l [181 171. 

From the algorithmic point of view, LLL-reduction can be reached in time polynomial in 
the lattice dimension. The other parameters, such as the dimension of the embedding space 
and the bit-size of the initial vectors are of small interest here since all the described algorithms 
have polynomial complexities with respect to them. On the other extreme, there are two main 
algorithms to compute an HKZ-reduced basis. The first one is due to Kannan [11] and was 
improved by Helfrich and Schnorr fl9l |T9]|. Its complexity has been revised downwards by Han- 
rot and Stehle [[HI who proved a c?&( 1+ °W) upper bound. The other algorithm is due to Ajtai, 
Kumar and Sivakumar [2] and its complexity upper bound was re-assessed recently by Nguyen 
and Vidick lfT6l : its cost is provably bounded by 2 5 9 ' d . The latter algorithm has a much better 
asymptotic complexity upper bound than Kannan's. However, it suffers from two drawbacks: 
firstly, it requires an exponential space whereas Kannan's space requirement is polynomial; sec- 
ondly, it is probabilistic in the sense that there is a tiny probability that the computed basis is 
not HKZ-reduced, whereas Kannan's algorithm is deterministic. In practice, for manageable 
problem sizes, it seems that adaptations of Kannan's algorithm still outperform the algorithm of 
Ajtai, Kumar and Sivakumar. One of the results of the present paper is to provide a worst-case 
complexity lower bound to Kannan's algorithm which is essentially the same as the d^ 1+ °^'' 
complexity upper bound: it proves that from the worst-case point of view, Kannan's algorithm is 
asymptotically worse that the one of Ajtai, Kumar and Sivakumar. In the compromises between 
LLL and HKZ-reductions, an algorithm computing HKZ-reduced bases (either Kannan's or the 
one of Ajtai, Kumar and Sivakumar) is used on /c-dimensional bases, where k is the parameter 
of the compromise. When k is greater than c log d for some constant c, the complexities of the 
compromise algorithms are k°^ or 2°( k > depending on the chosen HKZ-reduction algorithm. 
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The main result of the present paper is to prove the existence of HKZ-reduced bases which 
are arguably least reduced possible. These bases are good corner cases for strong lattice reduc- 
tions. We prove that given them as input, Kannan's algorithm costs at least dis^+oC 1 )) binary 
operations in dimension d, thus completing the worst-case analysis of Kannan's algorithm. This 
proves that the Ajtai-Kumar-Sivakumar algorithm is strictly better than Kannan's from the worst- 
case asymptotic time complexity perspective. These lattice bases also provide lower bounds on 
Schnorr's constants a& and (3k which play a central role to estimate the quality of Schnorr's hier- 
archies of reductions. As a by-product, we improve the best known upper bound for a k , and the 
lower and upper bounds essentially match. Our lower bound on (3 k match its best known upper 
bound, provided by Q. This gives weight to the fact that the primal-dual reduction therein may 
be better than Schnorr's classical hierarchy. Finally, we provide lattice bases that are particularly 
bad for Schnorr's hierarchy of reduction algorithms. 

To achieve these results, we simplify and build upon a technique introduced by Ajtai in [Q]| 
to show lower bounds on Schnorr's constants a k and (3 k . These lower bounds were of the same 
orders of magnitude as the best upper bounds, but with undetermined constants in the exponents. 
It consists in building random lattice bases that are HKZ-reduced with non-zero probability and 
such that the quantities under investigation (e.g., Schnorr's constants) are close to the best known 
upper bounds. The random lattice bases are built from their Gram-Schmidt orthogonalisations. 

Road-map. In Section [2] we provide the background that is necessary to the understanding to 
the rest of the article. In Section [3] we simplify Ajtai's method to generate lattice bases. We 
use it first in Section 0] to show the existence of worst-case HKZ-reduced bases with respect 
to the orthogonality of the basis vectors. Using these bases, we provide lower bounds to the 
worst-case cost of Kannan's algorithm and to Schnorr's constants a k and (3 k , in Section [51 We 
use Ajtai's technique a second time in Section [6] to build lattice bases that are particularly bad 
for Schnorr's hierarchy of reduction algorithms. Finally, in Section H we draw a list of possible 
natural extensions of our work. 

Notation. If y is a real number, we let [y~\ denote its closest integer (with any rule for the 
ambiguous cases), and we define {y} = y — \_y\ . If a < b, we let [a, 6] denote the set of integers 
belonging to the interval [a, b}. All logarithms used are in basis e. Finally, for x a real number, 
we define (x) + := max(i, 0). 

2 Background on Lattices 

We refer to flU for a complete introduction to lattices. 

Gram- Schmidt orthogonalisation. Let bi, . . . , be linearly independent vectors. We de- 
fine b* = bi — Hi,jbj with /ijj = • The 6*'s are orthogonal and, for any i, we 
have that the linear span of the 6*'s for j < % is exactly the span of the b/s for j < i. 
If j < i, we denote by bi(j) the projection of b t orthogonally to the vectors bi, . . . , bj-i. We 
have bi{j) = b* + El=>^fc- 
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Minkowski's inequality. For all integer d > 1, there exists a constant 7^, called Hermite's con- 
stant, such that for any d-dimensional lattice L there exists a non-zero vector b E L with ||6|| < 
7 d ■ (det L)d. The latter relation is known as Minkowski's inequality. Hermite's constant sat- 
isfies 7 d < d. Asymptotically, one has ^^(1 + o(l)) > 7 d > ^(1 + o(l)) (see OH for the 
upper bound). We define the minimum of a lattice L as the length of a shortest non-zero vector, 
and we let it be denoted by X(L). Minkowski's inequality can be easily restated in terms of the 
Gram-Schmidt orthogonalisation of any basis (&;); of L since det(L) = Yli \\b*\\- 

X(L) <Vd- 

Hermite-Korkine-Zolotarev reduction. A basis (6j)j of a lattice L is said to be HKZ-reduced 
if its first vector reaches the minimum of L and if orthogonally to b\ the other 6j's are themselves 

HKZ-reduced. This implies that for any i we have ||6*|| < \J d — % + 1 ■ (ll^=i ll&illj * +1 ■ We 
call these d — 1 inequalities the primary Minkowski inequalities. Many other Minkowski-type 
inequalities are satisfied by an HKZ-reduced basis since the HKZ-reducedness of (&!,..., b d ) 
implies the HKZ-reducedness of any basis (bi(i), . . . , bj(i)) for any i < j. 

Schnorr's hierarchies of reductions. A basis (&!,..., b d ) is called Block-Korkine-Zolotarev 
reduced with block-size k (fc-BKZ for short) if for any i < d — k + 1 the A;-dimensional ba- 
sis (bi(i), . . . , bi + k-i(i)) is HKZ-reduced. This reduction was initially called A;-reduction in lfT9l . 
Schnorr also introduced the block-2 k -reduction: a basis (61, ... , bd) is block-2A;-reduced if for 
any i < \d/k~\ — 2, the basis (b ik+1 (ik + 1), . . . , bj(ik + 1)) with j = min(<i, [i + 2)k) is 
HKZ-reduced. Any 2/c-BKZ-reduced basis is block-2 k -reduced and any block-2/c-reduced basis 
is /c-BKZ-reduced. In the following, we will concentrate on the BKZ hierarchy of reductions. 

Schnorr's constants. In order to analyze the quality of the A;-BKZ and block-2/c reductions, 
Schnorr introduced the constants 



iim 2 .0 u i<k m 

ctk = max and /4 = max 



(b,) ! < fc HKZ-reduced ||6^,|| 2 (6, ),< 2fc HKZ-reduced \rii>fcll & ill 

The best known upper bounds on a k and (3 k are k 1+logk and ^& 21og2 (see [fT9H 71l). We will im- 
prove the upper bound on a k in Section |5l Any fc-BKZ-reduced basis (6 1( . . . , b d ) of a lattice L 

/ d_l d-l 1 \ 

satisfies ||6i|| < min I k~£ =l ,a k t ~ 1 I A(L). Ajtai [1J showed that a k > k clogk for some con- 



stant c, so that the first upper bound is stronger than the second one. Furthermore, every block- 
2/c-reduced basis (61, ... , b mk ) of a lattice L satisfies \\bi \\ < \fk\ffi\™ 1 X A(L) (see [fT9ll20l ). 



3 Ajtai 's Drawing of HKZ-Reduced Bases 

Consider a dimension d > and a function / : [1, dj — > IR + \ {0}. By generalising an argument 
due to Ajtai (TJ, we prove that one can build a d-dimensional lattice basis which is HKZ-reduced 
and such that ||b* || = f(i), under a "Minkowski-type" condition for the values of /. 
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Theorem 1 Let d > and f : [1, dj — > M + \ {0}. Assume that for any j < d, one has 

tmn-<m:mh 

Then there exists an HKZ-reduced basis (pi, . . . , bd) with || = f(i). 

The condition above might seem intricate at first glance, though it is in fact fairly natural. 
The term (j — i)~ 3 ~ Y[{=i ~fm resembles Minkowski's inequality. It is natural that it should 
occur for all (i, j), since for an HKZ-reduced basis Minkowski's inequality is satisfied for all 
bases (bi(i), . . . ,bj(i)). Another way of stating this is that a necessary condition for a basis to 
be HKZ-reduced would be 

^giw^-a)")* (nf)< 1 - 

This is merely a restatement of the fact that, since Minkowski's inequality is verified for any 
pair (i,j), the i-th term is at most 2~^~ l \ so that the sum is < 1. In view of the fact that 
asymptotically ^ d < 1, J 44rf (l + o(l)), we see that we are not far from an optimal condition. 

Lemma[T]is the core of the proof of Theorem[TJ It bounds the probability that when a random 
basis (61, ... , b d ) is built appropriately, any lattice vector ^ xpi with Xd 7^ will be longer 
than 61 . 

Lemma 1 Let (bi, ... , b d -\) be a lattice basis and let b d be a random vector. We suppose that: 

1. For any i < d, we have \\b*\\ = f(i). 

2. The [id/sfori < dare independent random variables uniformly distributed in [—1/2, 1/2]. 

Let p be the probability that there exists (xi, . . . , Xd) with Xd 7^ such that HX^^i&ill — H^ill- 
Then: 



P 



< 



Proof. Wlog we can assume Xd > 0. We can write 

^xpi = ( x i + Yl ) b h 

i<d i<d \ j=i+l 



For i < d, we define Ui = Xi + 



Y?j=i+i H&i and ^ = {E^i+i^v^i}- Notice that 5 t = 

j Pd,iXd + Y^=l+i I' j ' r .i } is made of a ran dom term (p, d ,iXd) and a constant term <Xj=l+i ^j,i x j)- 
Since Xd 7^ and since the /^/s are distributed independently and uniformly in [—1/2, 1/2], the 
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same holds for the <Vs (for each fixed choice of (xi, . . . , Xd))- The event defining p can thus be 
rewritten as 

3u d e Z >0 , 3(m, . . . , Ud -i) e Z d ~\ + c^) 2 /(z) 2 < /(I) 2 - u 2 d f(d) 2 . 

i<d 

The probability of this event is if /(l) 2 — u 2 d f(d) 2 < 0. We shall thus assume in the sequel 
that < Ud < f(l)/f(d). The probability p is then bounded by 



E E Pr ( E(«* + W(o 2 < /(i) 



u 2 J(df 



Let c > be an arbitrary constant. We can estimate the last upper bound by using the 
inequality 



Pr J>> + 5,) 2 /« 2 < /(l) 2 - u 2 J(d) 2 < 



. i<d 



exp c — c- 



f(i) 2 -u d f(dy 



dS. 



Summing over the itj's, we obtain the estimate 



E 



exp ( c — < 



i<d 



m) 2 -u 2 j(d) 2 

SUM 2 



dS 



m) 2 -u 2 j(df 



d-l 
2\ 2 



d5i 



AO' 



Taking c = (d — l)/2 and summing over Xd = Ud > yields the bound that we claimed. Recall 
that the terms corresponding to u d > f(i)/ f(d) do not contribute. □ 
We now proceed to prove Theorem [TJ We build the basis iteratively, starting with b\, cho- 
sen arbitrarily with 1 1 1 1 = /(l). Assume now that &i, . . . , 6j-_i have already been chosen 
with || b* || = f(i) for i < j and that they are HKZ-reduced. We choose bj as b* + ^ fc<J - Hj,kb% 
such that 1 1 b* \ \ = f(j) and the random variables (^j,k) k< j are chosen uniformly and indepen- 
dently in [—1/2, 1/2]. Let p it j be the probability that the vector b* is not a shortest non-zero 
vector of L(6 i (i), . . . , bj(i)). This means that there exist integers (xj, . . . , Xj) such that 



^2x k b k (i) 



< 116*11. 



k=i 
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Since (61, . . . , bj-i) is HKZ-reduced, so is (bi(i), . . . , bj(i)) and thus we must have Xj 7^ 0. 
Lemma Q] gives us 



< 



< 



< 




n 



/(*) 



n 



/(j)V\ V frr /(»•)' 



n 



We conclude the proof by observing that the probability of non-HKZ-reducedness of (61, ... , bj) 
is at most J2i<j Pi,j- By hypothesis, this quantity is < 1. Overall, this means that there exist ^i/s 
such that (&!,..., b/) is HKZ-reduced. □ 
The proof of the lemma and the derivation of the theorem may not seem tight. For instance, 
summing over all possible (wi, . . . , uj) might seem pessimistic in the proof of the lemma. We 
do not know how to improve the argument apart from the Xd part, for which, when j — i is large, 
the term 



2\ ~ 



x>0 

could be interpreted as a Riemann sum corresponding to the integral 

/(») r /2 • A „ m 1 — ~ 

1 xax 



sm 



/(./) io /(i) V 2 0' -* + !)' 

Notice however that if one uses the same technique to look for vectors of lengths smaller 

than y/c-d ■ (Ilt<d/(*)) d mstea d °f /(1)> one finds that there exists a lattice where there is 
no vector shorter than this length (with Xd 7^ 0) as soon as c < We thus recover, up to 
the restriction Xd 7^ 0, the asymptotic lower bound on Hermite's constant. As a consequence, 
it seems that the main hope of improvement would be to replace the sum (in the proof of the 
theorem) by a maximum, or something intermediate. Replacing by a maximum seems quite 
difficult. It would require to prove that, if vectors of lengths < ||bi|| exist, then one of them 
has Xd 7^ 0, at least almost surely. A deeper understanding of that kind of phenomenon would 
allow one to obtain refined versions of Theorem [IJ 



4 Worst-Case HKZ-reduced Bases 

This section is devoted to the construction of an explicit function / satisfying the conditions 
of Theorem Q] as tightly as possible. In order to make explicit the fact that / depends on the 
underlying dimension d, we shall write fd instead of /. Note that though f(i) will depend on d, 
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this will not be the case for f(d — i). Suppose that the basis is HKZ-reduced. Then must 
satisfy Minkowski-type inequalities, namely: 



J-i+1 



We choose /<j according to the strongest of those conditions, namely those we called the 
primary Minkowski inequalities, i.e., with j = d. It is known (see [17J for example) that this set 
of conditions does not suffice for an HKZ-reduced basis to exist. We thus expect to have to relax 
somehow these constraints. We will also replace the Hermite constant (known only for d < 8 
and d = 24) by a more explicit term. For these reasons, we introduce 



d-i+l 



where ij) is be chosen in the sequel. This equation uniquely defines /^(i) for all i once we 

set f^ d ( d ) = L 

Theorem 2 Let ip(x) — C ■ x with C = exp(— 6). Then, for all 1 < i < j < d, we have 

«- ' + ir¥ t 1 - (if ) 2 ) Jte %M s (2 ^ + i)r * • 

Thanks to Theorem [Q we obtain the following. 
Corollary 1 Let ip be as in the previous theorem. There exist HKZ-reduced bases with 



d 

WA\ = U,d(i) = Vd-i + 1- 11 (C(d-l + 2))W^ 

i=i+i 

Moreover, when d — i grows to infinity, we have 



/, . ,, i+i°gg f\og 2 (d-i + l) 

(d-t + 1) 2 ■ exp , - + 0(1) 



The proof of the Theorem [2] follows from elementary analytical considerations. The elemen- 
tary and somewhat technical nature of this proof leads us to postpone it to an appendix. It can 
be skipped without inconvenience for the general progression of the paper. We only give here an 
overview of the strategy. 

First, we prove that (j — i + l) -1 ^ (ni=i jjF^j < Then, in order to prove that the whole 

i — j 

term is actually smaller than (2ire(y/e + l) 2 ) 2 , we need to consider four different cases. Let us 
write a = d — i + 1 and b — d — j + 1. This change of variables makes the problem independent 
of d. 
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When a and b are very close, i.e., a > b > a — 1.65 ^^3 , the term (1 — (f{j)/f{i)) 2 ) 
can be made arbitrarily small when a grows to infinity. For a large enough, this yields a 
sufficiently small exponential term. 

When a and b are not too close but not too far either, i.e., a — 1.65 ,, a v , > b > na for 

any constant k, the term (j — i + 1)~V ^ni=i J$j) * s decreasing exponentially, at a rate 
which can be made arbitrarily large for a large enough (thanks to the "x" part of ijj(x)). 

When a/b — > +00, the "C" part of ij)(x) provides an exponential term. 

Finally, for small a (the arguments used in the previous zones only work when a is large 
enough), we have to perform numerical computations to check that the inequality is indeed 
true. 



Proof of the corollary. According to Theorem[2l we have 



' ' 2vre N 2 



E 

i=i 



J -1 



2\ ~2~ 



n 



s E 

8=1 



3-i + l 
j -i 

i>l 



2 



(Ve+1) 
= 1. 



-(f-0 



The first part of the result follows from Theorem Q] and basic computations that are actually 
detailed in the appendix (Lemma [3]). For the second part, note that our choice of ip gives 



21og/, M (i) = log(d-i + l) + 



l=i+l 



logO + log(d-/ + 2) 
d-l + 1 



Suppose that d — i —> +00. We have 



E 

l=i+l 



log(d -1 + 2) 
d-l + 1 



log(d — x + 1) 
d — x + 1 



dx 



< 



E 



log(d -l + l) 



=i+i 



d-l + 1 



log(d — x + 1) 
d — x + 1 

1 



dx 



;=i+i v ; 

log(d-/ + l) log(d-x + l) 



<o(i)+E / 

d 

< 0(1) + V max 

jfr-^ xe[J-i,q (d - x + 1) 



d- / + 1 d-x + 1 

1 -\og(d-x + 1)| 



da; 



0(1). 



Classically, we also have 



E 

l=i+l 



logO 
d-l + 1 



log(O) • log(d - i + 1) 



0(1). 



INRIA 



Worst-Case Hermite-Korkine-Zolotarev Reduced Lattice Bases 



11 



The result follows from the fact that f d ^zg+i) dx = i°g 2 (^+i) n 

Ji d—x+l 2 

As a direct consequence of the Corollary, we also have 
Corollary 2 Let ip be as in the previous theorem. There exist dual-HKZ-reduced bases with 

d 

WKW = U,d® = (Vd-z + l)- 1 ■ H (C(d - I + 2))- Wi) . 

l=i+l 

Moreover, when d — i grows to infinity, we have 

= {d-i + 1)— »~ . exp ^ — *LA_ L + o(i) j . 



5 Lower Bounds Related to the HKZ-Reduction 

The HKZ-reduced bases that we built in the previous section provide lower bounds to several 
quantities. It gives a lower bound on the complexity of Kannan's algorithm for computing a 
shortest non-zero vector [fTTIl that matches the best known upper bound [8]. It also provides 
essentially optimal lower bounds to Schnorr's constants and 



5.1 Reminders on Kannan's Algorithm 

A detailed description of Kannan's algorithm can be found in |fT9l . Its aim is to HKZ-reduce 
a given basis (&i, . . . , b d ). To do this, it first quasi-HKZ-reduces it, which means that ||bi|| < 
2H62II an d the basis (62(2), • • . , &<f(2)) is HKZ-reduced. After this first step, it finds all solu- 
tions (xi, . . . , Xd) G Z d to the equation 



i=l 



< \\bi\ 



(1) 



It keeps the shortest non-zero vector ^2 i=1 Xibi, which attains the lattice minimum, extends it 
into a lattice basis and HKZ-reduces the projection of the last d — 1 vectors orthogonally to the 
first one. 

The computationally dominant step is the second one, i.e., solving Equation (0Q). It is per- 
formed by enumerating all integer points within hyper-ellipsoids. Equation (OQ) implies that: 



\Xd\ 



\K\\ < IN 



We consider all the possible integers Xd that satisfy this equation. For any of them, we consider 
the following equation, which also follows from Equation (OQ): 



\%d-l + Hd,d-l%d\ 



l^-lll < 



\bi\? ~ XdW d \\ 2 ) 



2\l/2 



This gives a finite number of possibilities for the integer Xd-i to be explored. 
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Suppose that (xj+i, . . . , Xd) have been chosen. We then consider the following consequence 
of Equation (OQ): 



3>i 



16*11 < 



\bi\\ 2 ~Yl [ x i + Y^k,jX k \ \\b*\\ 2 \ 

3>i \ k>j J J 



1/2 



which gives a finite number of possibilities to be considered for the integer Xi. 

Overall, Equation (OQ) is solved by enumerating all the integer points within the hyper-ellipsoids Si 

(y i ,...,y d )eR d - i+1 ,\\j: j>i y j b j (i)\\<\\b 1 \ 



5.2 On the cost of Kannan's algorithm 

In this subsection, we provide a worst-case complexity lower bound to Kannan's algorithm by 
considering that the worst-case HKZ-reduced bases built in he previous section. For these, the 
first step of Kannan's algorithm has no effect, and we give a lower-bound to the cost of the second 
one by providing a lower bound to the sum of the cardinalities of the sets Si n Z d_l+1 . 

Lemma 2 Let . . . , b r j) be a lattice basis. The number of points enumerated by Kannan's 
algorithm is at least the sum of the number of integer points in each of the hyperellipsoids 



Proof. Let 

Vi - 



bd—i+l 



t>d— i+1 



be defined by (f>(yi 



[Zi, . . . , Zd) such that Zi = 

Y.k>j VK3 Z 3 ■ Tne function is injective. Indeed, <p(y h ...,y d ) = (z h . . . , z d ) implies 
that yj = Zj + I ^2 k>j HkjZj^ , which means that (z{, . . . ,Zd) uniquely determines (y i: 



Vd) 



Furthermore, 



= ( z i + Yl ) b *3 = + 5 i) h *i> 

j>i j>i \ k>j / j>i 

for some 5j G [—1/2, 1/2]. Hence, for (y h . . .,y<i) 6 S[V\ Z d ~ l+1 , the z^'s are integers and 



3>i 



j>i 



3>i 



This implies that if [y i: . . .,yd) £ £>[ H Z d_l+1 then 4>{Vii ■ ■ ■ ,Vd) Z d ~ t+1 is indeed consid- 

ered. □ 
We can now provide a lower bound to the cost of Kannan's algorithm. This lower bound is 
essentially the best possible, since it matches the upper bound of (8]|. This also shows that the 
worst-case HKZ-reduced bases are worst-case inputs for Kannan's algorithm. 
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bd) be a lattice basis. Let i be such that \\b*\\ < ^j=p for all j > i. 



Theorem 3 Let (61, . 

Then, the number of points considered by Kannan's algorithm is at least 



-d+i-l 



n 



, 4 ^n^ir 

In particular, given as input the basis built in the previous section, Kannan 's algorithm performs 
at least d^ 1 *^ 1 )) operations. 



Proof. The set E[ contains the subset 



n 



\bi\ 



\bi\ 



Vdwqw' Vd\\b* 

This means that the cardinality of £[ fl Z d ~ l+1 is greater than 



\{0} 



\Td\\b*A 



-0*11 * 



i&ii 



Vd\m 



3 



> 



2 d- 



1 d 



N 



y/d\\m' 



This proves the first part of the theorem. It remains to evaluate this quantity for the basis built in 
the previous section. For this basis, we have, for any i < d, 

16*1 



n 



,6* 

j>i 'I j 



As a consequence, the number of operations performed by Kannan's algorithm given this 
basis as input is greater than 



C(d-i + l] 
Ad 



\bi\ 
16*1 



d—i+l 



for any i such that ||6*|| < ^jg- for j > i. We choose i — d (l — ~) + a-^-^ 
fixed later. Let j > i. According to Corollary [Q if d — j — > +00, we have 
log 2 (d-j + l)-log 2 d 



for some a to be 



61 



+ (1 + logC) (log(d - j + 1) - logd) + 0(1) 



< log d J + 1 (\ogd+l + \ogC) + 0(l) 



< lot 



d 

d-i + 1 
d 



(logd + l + logC) + 0(l) 



^ \e logd ~^ \d 
< -logd - ae + 0(1). 



(logd+l + logC) + 0(l) 



For a and d large enough, we shall indeed have ||6*|| < ^=|- for any j > i. Hence, since for 



this value of i we have ( ^ /d J^ rl 
becomes d^/2°( d \ which concludes the proof of the theorem. 



d-i+l 



2 -o(d) and ( M 



d-i+l 



dt /2 0( - d \ the lower bound 

□ 
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5.3 On Schnorr's Constants 

First of all, we improve the best known upper bound for a k from k logk+l to k-^~ + ° {1) . We will 
see below that this improved upper bound is essentially the best possible. 

Theorem 4 Let k > 2. Then a k < fc^+ot 1 ). 

Proof. Let (&i, . . . , b k ) be an HKZ-reduced basis. For any i, we have 

m*-* <Vk-i+i k ' i+1 n\\b*\\ 

j>i 

Let the sequence be defined by u k = \\b* k \\ and u k ~ % = \Jk — i + 1 llj>i u i- Then the 
sequence Ui dominates the sequence ||b*||. Moreover, 



U: 



y/k-i + 1 
U i+ i y/k — i 

which implies that 



\/k-i + l k -\ 



M <^<vmv^ <o{i)Vkk lJ ^. 



ll^ll u k 

i<k 

This concludes the proof. □ 
We now show that the new upper bound on a k and the upper bound (5 k < j^k 2log2 are 
essentially the best possible. They are in particular essentially reached for the worst-case HKZ- 
reduced bases of the previous section. 

Theorem 5 Let k > 2. We have: 

a k = k^ + °^ and fa = fc 21og2+ °(^). 

Proof. Consider a worst-case A;-dimensional HKZ-reduced basis as described in the previous 
section. We have \\b* k \\ = 1, and ||&i|| = k logk ~°^ follows from Corollary [TJ 

Now, we consider a worst-case 2A;-dimensional HKZ-reduced basis (&!,..., b 2k ) of a lat- 
tice L as described in the previous section. We have the following lower bounds: 

t\ 2k 
V2k 
Vk \\K +1 \ 

Furthermore, (p^)* = exp (log 2 (2A;) - \og 2 (k) + 0(1)) = fc 21og2 exp (0(1)), as claimed. 
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6 Difficult Bases for the BKZ Reductions 

In this section, we build lattice bases that are A;-BKZ reduced, but far from being fully HKZ- 
reduced. In the previous section, we showed lower bounds to Schnorr's constants appearing in 
the quality analysis of the hierarchies of reductions. Here we prove lower bounds on the quality 
itself. Note that the lower bounds that we obtain are of the same order of magnitude as the 
corresponding upper bounds, but the involved constants are smaller. This suggests that it may 
not be possible to combine worst cases for Schnorr's constants in order to build bad bases for the 
BKZ hierarchy of reductions and that better upper bounds may be proved by using an amortised 
analysis. 

In the following, we fix a block-size k. The strategy used to prove the existence of the basis 
is almost the same as in Section[3] The sole difference is that when we add a new basis vector bj, 
we only require (b,-_ fc+1 (j — k + 1), . . . , bj(j — k + l)) to be HKZ-reduced instead of (6 1( . . . , bj). 
This modification provides us the following result. 

Theorem 6 Let d > k and f : [1, dj — ► IR + \ {0}. Assume that for any j < d, one has 

i-i 

J 



3-1 




e S "i>-o ) in^)<i- 



i=max(j — fc+1,1) 

Then there exists a k-BKZ-reduced basis (6i, . . . ,bd) with \\b* \\ = f(i). 

We now give a function / that fulfils the requirements of Theorem [6l 
Corollary 3 Let k be an integer and c < 1 be a constant such that 

fc-l / A \ i 

•sr-^ I 47re N 2 



y ( — — sinh(— Zlogc) j < 1. 



v Ic 
i=i x 

Then, there exists a k-BKZ-reduced basis (6 1; . . . , 6 d ) with \\b*\\ = c\ 

Proof. Let f(i) = c % for any i < d. The condition of Theorem [6] becomes 

j ^[ j — i 

Vj < d, i 1 ~ c2 °'" l) ) c ~ (i ~ m) ) 2 < 

i=max(j-k+l,l) % ' 

or equivalently 

mm(k~l,j~l) , v I 

V<d, E (^(l-c-)c-(-)) <1. 

Since k < d, this condition is equivalent to the one stated in the corollary. □ 
Using the corollary above, one can compute a suitable constant c for any given block-size. 
For k = 2, one can take c = 0.972, for k = 3, one can take c = 0.985 and for k < 10, one can 
take c = 0.987. The optimal value of c seems to grow very slowly with k. However, it does grow 
since for any fixed c, the general term of the sum tends to +oo when I grows to +oo. We can 
also derive the following general result, as soon as the block-size is large enough: 
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Corollary 4 Let d > k > 8ire. There exists a k-BKZ-reduced basis (pi, ... , bd) of a lattice L 

i 

with \\b*\\ = (fzf) k ■ I n particular, for any such basis, we have: 



IM > -Ti 



(—) 

V 8vre J 



X(L) 
i 

Proof. Let c = (fzf ) fe an d : x i— > - sinh(x log c). We have that 

,,, . 1 . , . , . logc . . cosh(xlogc) . . . 

4> (x) = smh(xlogc) H cosh(xlogc) = (— tanh(xlogc) +xlogc). 

Since tanhx < x for any x < 0, we have that the function <\> decreases when x < 0. As a 
consequence, we obtain that for any / < k, 

— smh -/logc < — c' k < 1/4. 

Ic (k — 1) 

It follows that the condition of Theorem [6] is satisfied. It now remains to give a lower bound 
to ||6 1 ||/A(L). We have ||&i|| = (fzf) k and Minkowski's theorem gives us that 

87re ^ 2k 



This directly provides the second claim of the theorem. □ 
By comparing to 1 the last term of the sum in Corollary [31 one sees that the following must 
hold: 

k - 1 



(c -k _ c fc +2) < 



2vre 

This means that, apart from replacing 87re by 2ire in Corollary HI one cannot hope for a much 
better constant by using our technique. 



7 Concluding Remarks 

We showed the existence of bases that are particularly bad from diverse perspectives related 
to strong lattice reductions and strong lattice reduction algorithms. A natural extension of our 
work would be to show how to generate such bases efficiently, for example by showing that 
the probabilities of obtaining bases of the desired properties can be made extremely close to 1. 
Another difficulty related to this goal will be to transfer the results from the continuous model, 
i.e., M n , to a discrete space, e.g., Q n with a bound on denominators. 

Our results allow to claim that some algorithms/reductions are better than others from the 
worst-case asymptotic complexity point of view. This only gives a new insight on what should 
be done in practice. It is well-known (see [fl~4| about the LLL algorithm) that low-dimensional 
lattices may behave quite differently from predicted by the worst-case high-dimensional results. 
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This section is devoted to proving Theorem[2] Since exp(5) > 2we(\/e + l) 2 , it suffices to prove 
the following result. 

Theorem 7 Let i/j(x) = C ■ x with C = exp(— 6). Then for all 1 < i < j < d, we have 



Proof of Theorem [2] 




UA k ) 



< exp ( --(j - i) 



where f^ d ( d ) = 1 and /^(z) = \/ip{d - i + 1) • (IlLi UA k ) 
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We shall work separately with the following two terms of the theorem: 

We call these terms Ti and T 2 . Another notation that we use is a = d — i + 1 and b — d — j + 1, 
which is natural since the function x i— > /(d — x + 1) does not depend on d. The domain of valid 
pairs (a, b) is 1 < 6 < a < d. 

Notice that if j = d, then we can use the definition of fy jd , and by bounding Ti by 1, we 
obtain the sufficient condition: 

\J d — i + 1 exp(— 3(d — i + 1)) < exp ^— ^(d — i)^ , 

which is valid. In the following, we will assume that j < d. 

Our proof is made of four main steps. The first step consists in simplifying the expressions 
of the terms Ti and T 2 . In the second step, we try to obtain the result without the first term, i.e., 
while bounding Ti by 1. We reach this goal for a > 158000 along with b < a — ^r^- In the third 
step, we use T 2 to obtain the result for a > 158000 along with b > a — ^r^- Finally, we prove 
the result for 1 < b < a < 158000 with an exhaustive check of the inequality to be satisfied. 

7.1 Explicit Formulas 

The results of this subsection remain correct for any function ip. 
Lemma 3 The following holds for any k > i: 

k 



Proof We have 

d 



k=i+l 

and 

d 

u, d (i +i)« , - i =^(d-<)^- n 

k=i+l 

By taking the quotient, we obtain 



yj(d — i + l) 2 ( d - 1 ) . 



The lemma follows by induction. □ 
The following lemma simplifies the expression of the term T 2 . 
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Lemma 4 The following holds for any j > i: 



k=i+1 UM Vim ^(d-l + l)(d-l + 2)™ 
Proof. We have 

"tt UAi) = ( tt UAS) \ ( tt UAj) \ ( UAi) x 

The first two terms can be made explicit by using the definition of f^ >d , and the last one has been 
studied in Lemma [31 We get: 



j-d 



d- 




1 2 


d 


-.7 + 1 


) 


2 


i- 


-t+1 


2 



T) 



] [ ip(d-l + 2)W- 



i+i) 



+ l= . +1 

j-r tp(d-i + l)xp(d-l + 2) 
viiti - / + l)V>(d - / + 2) <™ 

as claimed. □ 
Note that by writing a = d — i + 1 and b = d — j + 1, the two lemmas above give us: 



7.2 Temptative Proof of Theorem Without Using Ti 



i 



We consider the logarithm of ( j — i + 1) J 2 T 2 and try to show that it is smaller than — |(j — i) 
Thanks to LemmaSl this is equivalent to showing that: 



-(a-b)\og(a-b+l) + J2 (logi>(a) - logi(;(l) + logip(l + 1) (l - ^J^j < -5(a-6). 

(2) 

We first try to simplify the summand. 

Lemma 5 Let b > 2 be an integer. The function x G [b, a — 1] i— > — log x + log(x + 1) (l — — J 
is increasing for x>bifb>3 and for x > 4 ifb = 2. 
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Proof. The derivative is lo g( a+1 K 2 b ^(^ +1 ) bx _ j t f r{ ows that the function under study is 
increasing as soon as (l + |) log (a; + 1) > The result follows from the facts that ^ < 2, 
that | log 5 > 2 and that | log 4 > |. □ 

By using Lemma [51 we obtain an upper bound to T 2 if we had taken ip(x) = x instead 

of ip(x) = C ■ x. 

Lemma 6 The following holds for a > 8: 

a-1 



^log a - log x + \og(x + 1)^1 



< (a — b) \og(a — b + 1) + (a — b) ( log — — - — — - — - — \ log a 



(a-l)(a-b + l) a-1 

Proof. When b > 3, the result follows directly from Lemma [51 by noticing that for all 

x G [b, a — 1] we have 

( b — l\ \ / \ a ~ b 

- logx + logfx + 1) 1 < - logfa - 1) + log(a) -. 

\ x J a — 1 

Suppose now that 6 = 2. It can be checked numerically that the inequality holds for a = 8. 
Suppose now that a > 8. We have: 



^loga — logs + log(a; + 1) ^1 j 



< 6 log 7 + 6 ^log ^ - i log 
+ (logo-log(o- 1) + log(a)^— j-j 

= ( loga ~ log ( a ~~ ^ + lo s( a )~TT ) ' 

x=2 ^ a j 

which gives the result. □ 
Notice that Lemma [6] implies that T 2 with ip(x) = x instead of C ■ x already compensates the 
term "(a — b) log(a — b + 1)" of Equation ©. Indeed, the function : b i— > log ( a „ 1 )( a a _ b+1 ) _ 
^—7 log a is convex and 

a— 1 ° 

„, . , a loga , „, . a loga 

0(2) = 2 log and 0a-l )=bg- ? + 

a — 1 a — 1 2(a — 1) a — 1 

Both 0(2) and 0(a - 1), and thus all 9(x) for x e [2, a - 1], are < for a > 8. 
We now consider the left hand-side of Equation © with ip(x) = C ■ x. 



Lemma 7 Let a(a, b) = log — ^— j- log a and (3(a ) b) = 1 — ^ log |. For a > 8, we have: 

-(a-6)log(a-6+l) + ^ flog V (a) - log^(Z) + log^(Z + 1) (l - ^p)) 

< (a - b) (a(a,b) + (3(a,b) log C) . 
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Proof. First of all, we have: 

a-l 



a - 6)log(o -b+ 1) + ^ ^loga - log/ + log(Z + 1) ^1 - ^y^"JJ 



< a (a, b). 



This follows from Lemma [6] and the fact that (a — 1) (a — b + 1) > a(a — b). We now consider 
the terms depending on C. Since YT x =b+i x — 1°S f an ^ log C < 0, we have: 

]T (bg(C) (l - ) < log(C) (a - b - (b - 1) log |) < log(C)/?(a, 6), 

which gives the result. □ 
In the following, we study the function (a, b) i— > a(a, o) + P(a,b) log (7. We would like 
to bound it by —5, be we will be able to do this only for a subset of all possible values of the 
pair (a, b). 

Lemma 8 Let < k < 1 be a real constant and suppose that a > 8. The function a i— > 
a(a, Ka) + /3(a, /ta) log C decreases with respect to a. 

Proof. We have 

Klog/A (na — l)loga 



a(a, na) + (3(a, kcl) log C = — log(l — k) + log (7(1 + 

\ 1 — k J a — 1 

Hence, 

d -Ka 2 + aloga(« - 1) + (k + l)a - 1 

— (a(a, Ka) + log C/?(a, /ca)) = — . 

oa a[a — l) z 

For the numerator to be negative, it suffices that a > 1 + - (then the term in a 2 is larger than 
the term in a) or that a > exp (f^) (then the term in a log a is larger than the term in a). Since 

/ 1 fK + l\\ 
max min 1 H — , exp < 6, 

kg [0,1] \ K \1 — K/ J 

the result follows. □ 
In the results above, we did not need C = exp(— 6). The only property we used about C 
was log C < 0. In the sequel, we define r(a, k) = a (a, mm) — Qf3(a,K,a). We are to prove 
that r(o, k) < —5 as soon as k is not very close to 1. 

Lemma 9 For any a > 755, the function k i— ► r(a, k) increases to a local maximum in [0, |], 



f/zen decreases to a local minimum in 



1 1 3_ 

2 ' 2 log a 



anJ increases. 
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Proof. We first study 



<9 3 , . 20k 2 + 10k 3 + 6 - 36k - 36k 2 log k 

:T(a,K) 



Ok 3 v ' ' (1-k) 4 k 2 

Using the fact that log k < (k - 1) - (« - l) 2 /2 + (« - l) 3 /3 for k G [0, 1], we find that 
the numerator can be lower bounded by a polynomial which is non-negative for k G [0, 1]. As a 
consequence, r^(a, k) = -§^t(cl, k) is a convex function with respect to k G (0, 1). 

Notice now that r^.(a, «) = — 6 logs + o(logK) > for k close to 0, that r^.(a, 1/2) = 
-10 + 24 log 2 - < for a > 755, and finally that 

T' K (a, 1 — — J = -10 logo - 24 log (1 — — J log 2 a — log a 



2 log a / \ 2 log a / a — 1 

a 

> 2 log a log a, 

a — 1 

which is clearly positive for a > 3. □ 
The following lemma provides the result claimed in Theorem |7] for a > 158000 and b < 
a-l^r-V- 

log' 3 a 

Lemma 10 Suppose that a > 158000. TTzen, /or all k < 1 — 1.65 lo \ a , we /zave a (a, Ka) — 

6/3(a, sa) < —5. 

Proo/ Let a = 158000. We have r' K (a , 0.08962) > > <(a , 0.08963). Furthermore, for 
k G [0.0937,0.0938], we have 

K(ao,/c)| < max (|<(a , 0.08962)1, |<(a , 0.08963)|) < 3 ■ 10~ 4 . 



Hence, 



max r(ao, re) < r(a , 0.08962) + 3 • 10~ 9 < -5. 

k£ [0.08962,0.08963] 



Thanks to Lemmas [8] and [9l we have, for a > 158000: 

max (a(a, kcl) — 6(3(a, na)) < —5. 

ree [0,1/2] 

Furthermore, since 2 J ga > and thanks to Lemma|9l we have, for any a > 158000: 



1\ / 1 1-65 
r a, 1 — 



« e [i V V 2/ V log a 

L z log° a J 

Notice that 

/ 1.65 \ / 1.65a \ , , , a 1.65 

r a, 1 o— < a a, a o— = — log 1.65 + 3 log log a — log a + 



log a/ V ' log a/ ' ' ' ' a- 1 (log a) 2 ' 

which is decreasing with respect to a > 158000. Moreover, for a = 158000, its value is be- 
low —5. As a consequence, 



^^[2'"^" log^ a] 

□ 
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7.3 Using Ti When b > a 



1.65a 



(log a) 



This section ends the proof of Theorem |7] for a > 158000. 

Lemma 11 Assume that ip(x) = e~ 6 • x. Then, for a > b > a — 1.65 and a > a\ > 1782, 
we have 

1 _ ( UAd~b+l) \ 2 < 1 _ (_ x 65 logai-5 \ 
V/^(^-« + 1 )/ ~ V log 3 a x - 1.657 ' 

Proof. According to Lemma [31 we have 

01 y^-Hl) , /a\ , ^ -6 + log(/ + l) 
U,d(d-a + l) \bJ ^ I 



< 1.65 



1.65 -6 + log a 

< - — 5 \- (a-b) 

log a — 1.65 

log a — 5 



(log a) 3 — 1.65 



This upper bound decreases with respect to a > 1782. □ 
By using Lemma [TOl and the fact that fi(a, b) < 0, we see that the left hand side of Equa- 
tion (O is upper bounded, for b > a — 1.65 and a > a x > 1782, by: 

(a - b) log (l - exp (-1.65^^-)) < (a - b) log ( 1.65 ^ = 5 
V ; & V V log 3 a! - 1.65 - V ; & V logV - 1-65 

and the constant in the right hand side is below —5 when a x = 158000. 

7.4 Small Values of a 

It only remains to prove Theorem |7J for small values of a. The following lemma was obtained 
numerically. In order to provide a reliable proof, we used the Boost interval arithmetic library [|3l 
and CRlibm [6 J as underlying floating-point libraries. 

Lemma 12 Let ip(x) = e~ e ■ x. For any 2 < b < a < 158000, we have 

j-i 

+ k=i+l 



with i = d — a + 1 and j = d — b + 1. 
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7.5 Concluding Remarks 

The value of C — exp(— 6) is not optimal. Given the line of proof used above (obtaining a 
geometric decreasing of the general term of the sum in Theorem [B, the best value of C that 
one can expect is limited by the term corresponding to j — d, i — d — 1, for which we must 
have (27re) ■ (2C) < 

Note however that the probability p of Lemma \T\ involved in our criterion can be computed 
more precisely for small dimensional lattices, thus improving the optimal value of C that can be 
reached. 
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